Description

In a typical logininas scenario, when the instructor returns to their own perspective (reverting to $_SESSION['REALUSER']) by clicking on their username in the page header, they are forced to re-authenticate, and then are supposedly returned to page they were viewing.

This only works accidentally, as the course/loginas.php attempts to set $SESSION->wantsurl before the redirect, but that assignment is discarded because session_write_close() was called as part of the flow of execution from requires_logout() to session_get_instance()->terminate_current().

It accidentally works because login/index.php reconstructs $CFG->wantsurl from $_SERVER[HTTP_REFERER], and generally that works out fine since the instructor would expect to return to the page they were viewing.

However, in the case of Shibboleth SSO, or any other auth plugin needing to examine the $CFG->wantsurl value in the loginpage_hook() method, it fails.

Also, considering the terminate_current() method calls session_regenerate_id(), it can be assumed there may be some values yet to be placed in the new session--prevented by the session_write_close().

At the very least, closing the newly created session should be optional, so that a script such as course/loginas.php can still use $SESSION.

The slight change we made to the Shibboleth module checks the $SESSION->wantsurl, among other things, to issue a redirect to the Shibboleth protected page (deep links, etc.). We try to send our users directly to the IdP when possible, rather than having an extra stop on Moodle login page.

Only suggested fix right now is to remove the call to session_write_close() at the end of session_stub->terminate_current(), and let the end of processing take care of closing the session.

Petr Skoda
added a comment - 17/Mar/13 7:54 PM Thanks for the report. The session_write_close() is there for security reasons, I have used extra redirect to get fresh new session before setting the wanted URL.